How to Harden Your cPanel System’s Kernel in WHM

How to Harden Your cPanel System’s Kernel in WHM

Overview

This document describes how to install the cPanel Hardened Kernel update for the Linux® kernel on CentOS 6 servers.

If you enable both of the SymLinksIfOwnerMatch and FollowSymLinks configuration settings, Apache becomes vulnerable to a race condition through symlinks. This symlink vulnerability allows a malicious user to serve files from anywhere on a server that strict OS-level permissions do not protect. The cPanel Hardened Kernel update provides Symlink Race Condition Protection.

Important:

The cPanel-provided kernel update will not work for OpenVZ®, Virtuozzo®, LXC, or other container-based systems.

This document only applies to systems installed with CentOS 6 64-bit systems.

cPanel & WHM does not automatically update the operating system kernel. Unattended system kernel updates may cause unplanned reboots or system failures.

We strongly suggest that only experienced System Administrators perform this process.

Do not perform these steps if you are using KernelCare™, KernelSplice or similar technologies.

Harden your system’s kernel

To harden your cPanel system’s kernel, log in to your server as the root user via SSH and perform the following steps:

Retrieve the repository from cPanel

After you log in to your server, run the following commands to download the signed kernel repository from the securedownloads.cpanel.net site. To do this, run the following command:

Restart the server

After you update the kernel, you must restart the system to complete the kernel update. To reboot the server, run the reboot command.

This command returns output that resembles the following example:

Broadcast message from user@example.com
(/dev/pts/0) at 13:02 ...
The system is going down for reboot NOW!
bash-4.1# Connection to example.com closed by remote host.

Verify the kernel update

After you reboot your server, verify that the cPanel Hardened Kernel update succeeded. To verify that your update was successful, log in to the server as the root user via SSH and run the unamecommand. This command returns output that resembles the following example:

[user@example.com ~]$ uname -r
*2.6.32-573.22.199.cpanel6.x86_64

If the command’s output includes cpanel in the returned value, you successfully updated the kernel.